RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-26 02:47:34 +00:00
Code Issues Activity Actions

Kernel: Implement an axallowed mount option

Browse source 
Similar to `W^X` and `wxallowed`, this allows for anonymous executable
mappings.
This commit is contained in:
Tim Schumacher 2022-05-05 18:30:24 +02:00 committed by Brian Gianforcaro
parent 6187cf72cc
commit 5efa8e507b
5 changed files with 8 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

1
Base/usr/share/man/man2/mount.md
View file

@ -38,6 +38,7 @@ The following `flags` are supported:
* `MS_RDONLY`: Mount the filesystem read-only. * `MS_RDONLY`: Mount the filesystem read-only.
* `MS_REMOUNT`: Remount an already mounted filesystem (see below). * `MS_REMOUNT`: Remount an already mounted filesystem (see below).
* `MS_WXALLOWED`: Allow W^X protection circumvention for executables on this file system. * `MS_WXALLOWED`: Allow W^X protection circumvention for executables on this file system.
* `MS_AXALLOWED`: Allow anonymous executable mappings for executables on this file system.
These flags can be used as a security measure to limit the possible abuses of the newly These flags can be used as a security measure to limit the possible abuses of the newly
mounted file system. mounted file system.

1
Kernel/API/POSIX/unistd.h
View file

@ -28,6 +28,7 @@ extern "C" {
#define MS_RDONLY (1 << 4) #define MS_RDONLY (1 << 4)
#define MS_REMOUNT (1 << 5) #define MS_REMOUNT (1 << 5)
#define MS_WXALLOWED (1 << 6) #define MS_WXALLOWED (1 << 6)
#define MS_AXALLOWED (1 << 7)
enum { enum {
_SC_MONOTONIC_CLOCK, _SC_MONOTONIC_CLOCK,

2
Kernel/Syscalls/mmap.cpp
View file

@ -75,7 +75,7 @@ ErrorOr<void> Process::validate_mmap_prot(int prot, bool map_stack, bool map_ano
bool make_writable = prot & PROT_WRITE; bool make_writable = prot & PROT_WRITE;
bool make_executable = prot & PROT_EXEC; bool make_executable = prot & PROT_EXEC;
if (map_anonymous && make_executable) if (map_anonymous && make_executable && !(executable()->mount_flags() & MS_AXALLOWED))
return EINVAL; return EINVAL;
if (map_stack && make_executable) if (map_stack && make_executable)

1
Userland/Applications/SystemMonitor/main.cpp
View file

@ -287,6 +287,7 @@ public:
check(MS_BIND, "bind"); check(MS_BIND, "bind");
check(MS_RDONLY, "ro"); check(MS_RDONLY, "ro");
check(MS_WXALLOWED, "wxallowed"); check(MS_WXALLOWED, "wxallowed");
check(MS_AXALLOWED, "axallowed");
if (builder.string_view().is_empty()) if (builder.string_view().is_empty())
return String("defaults"); return String("defaults");
return builder.to_string(); return builder.to_string();

4
Userland/Utilities/mount.cpp
View file

@ -38,6 +38,8 @@ static int parse_options(StringView options)
flags |= MS_REMOUNT; flags |= MS_REMOUNT;
else if (part == "wxallowed") else if (part == "wxallowed")
flags |= MS_WXALLOWED; flags |= MS_WXALLOWED;
else if (part == "axallowed")
flags |= MS_AXALLOWED;
else else
warnln("Ignoring invalid option: {}", part); warnln("Ignoring invalid option: {}", part);
} }
@ -180,6 +182,8 @@ static ErrorOr<void> print_mounts()
out(",bind"); out(",bind");
if (mount_flags & MS_WXALLOWED) if (mount_flags & MS_WXALLOWED)
out(",wxallowed"); out(",wxallowed");
if (mount_flags & MS_AXALLOWED)
out(",axallowed");
outln(")"); outln(")");
}); });